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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


x] Yes 


O No 


Q2 If not, please specify where improvements could be made. 


Q3 Does the draft code cover the right issues about data sharing? 


O Yes 


x] No 
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Q4 Ifno, what other issues would you like to be covered in it? 


Further clarity on the lawful basis for data sharing - whilst 
recognising that the code does not want to repeat existing ICO guidance 
on the different lawful bases, IDPE members would welcome further 
clarity on the difference between the lawful basis for processing data 
and the lawful basis for sharing data and whether more than one lawful 
basis can be relied on when data sharing. For example, in the context 
of our members, a school and parent/alumni association as joint data 
controllers may process data and rely on both legitimate interests and 
consent (to comply with PECR), however, could the lawful basis for data 
sharing then just be legitimate interests? 


Q5 Does the draft code contain the right level of detail? 


O Yes 


x] No 


Q6 Ifno, in what areas should there be more detail within the draft 
code? 


Please see response to question 4. 


The length of the guidance - IDPE member schools are concerned at 
the length of the code at 105 pages. Whilst the summary and ‘at a 
glance’ sections of the code are useful, they have requested whether a 
more practical checklist could be created to support the code and draw 
out key information to action, when considering data sharing. 


Repetition - IDPE member schools also felt that in some places there 
was repetition within the code, which if reduced could simplify the code 
further. For example, pages 16-17, detail data-sharing covered by the 
code, and detail the examples of data sharing on a routine basis and on 
a one-off ad hoc basis, then on page 18, there is are further sections on 
this which reiterate information from pages 16-17. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 
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O Yes 


x] No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


Ensuring compliance when already sharing data - the code covers 
what to consider if two or more data controllers are looking to share 
data in the future, but it does not provide guidance on what to do where 
data is already being shared across two data controllers. For example, 
should the data controllers merely carry out a review of their data 
sharing practice? Should they carry out a DPIA to demonstrate that 
there is no risk to sharing such data? Can data controllers 
retrospectively decide which lawful basis applies to the sharing of data? 


IDPE member schools have requested further clarity on how to move 
forward when already sharing data between two or more data 
controllers. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


x] Yes 


O No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


IDPE member schools welcomed the clarity in the code and the 
differentiation between legal obligations and good practice in data 
sharing. 
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Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


xX Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


IDPE member schools welcomed the sections on Common concerns 
about data sharing and The benefits of data sharing, which 
challenge misconceptions and demonstrate benefits. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


Yes 


X No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


Further examples/case studies - whilst IDPE member schools 
welcomed the examples that have been included within the actual code 
itself as well as the case studies in the appendices, they requested 
further relevant examples either from the third sector and more 
specifically fundraising, or from education. IDPE would be willing to 
work with the ICO on providing such case studies, for example where a 
school and the parent or alumni association are data controllers and 
how these two entities ensure good practice in data sharing. 


Accountability -— under the section entitled Accountability, it details 
the role of the Data Protection Officer (DPO) in a data sharing 
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arrangement, however the code does not clarify who should lead on this 
in the absence of a DPO and what their role should be. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 
Agree 


O 
Xx 
O Neither agree nor disagree 
O Disagree 

O 


Strongly disagree 
Q1i6 Are you answering as: 


QO An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


CL] An individual acting in a professional capacity 
X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


The Institute of Development Professionals in Education (IDPE) 


Thank you for taking the time to share your views and experience. 


